Attachment 10550 Details for Bug 21118 – file.diff

[patch] file.diff

file.diff (text/plain), 2.73 KB, created by missnglnk on 2000-09-08 15:50:00 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: missnglnk

Created: 2000-09-08 15:50:00 UTC

Size: 2.73 KB

patch

obsolete

>--- sys/netinet/ip_fw.c.orig	Wed Sep  6 21:01:07 2000
>+++ sys/netinet/ip_fw.c	Wed Sep  6 21:40:55 2000
>@@ -735,4 +735,3 @@
> 	    break ;
>-	default:
>-#if 0
>+	case TH_RST | (TH_RST << 8) :
> 	    /*
>@@ -741,7 +740,18 @@
> 	     */
>-	    if ( (q->state & ((TH_RST << 8)|TH_RST)) == 0)
>-		printf("invalid state: 0x%x\n", q->state);
>-#endif
>+	    printf("invalid state: 0x%x\n", q->state);
> 	    q->expire = time_second + dyn_rst_lifetime ;
> 	    break ;
>+	default:
>+	    /*
>+             * A TCP packet found in unknown state, drop it.
>+	     */
>+	    DEB(printf("packet should be dropped (state: 0x%x)\n", q->state));
>+            old_q = q ;
>+            if (prev != NULL)
>+                prev->next = q = q->next ;
>+            else
>+                ipfw_dyn_v[i] = q = q->next ;
>+            dyn_count-- ;
>+            free(old_q, M_IPFW);
>+	    break ;
> 	}
>@@ -838,4 +848,7 @@
>     }
>-    if (dyn_count >= dyn_max) /* try remove old ones... */
>-	remove_dyn_rule(NULL, 0 /* expire */);
>+    /*
>+     * Unconditionally remove expired states.
>+     */
>+    remove_dyn_rule(NULL, 0 /* expire */);
>+
>     if (dyn_count >= dyn_max) {
>@@ -1277,4 +1290,43 @@
> 		 */
>-		if (q == NULL && f->fw_flg & IP_FW_F_KEEP_S)
>-		    install_state(chain);
>+		if (q == NULL && f->fw_flg & IP_FW_F_KEEP_S) {
>+		    /*
>+		     * Instead of unconditionally adding a new state,
>+		     * check the protocol and flags, and add a new state
>+		     * or ignore packet.
>+		     */
>+		    switch(proto) {
>+		        case IPPROTO_TCP:
>+		            if (flags & TH_SYN) {
>+		                DEB(printf("-- installing state for TCP packet\n"));
>+		                install_state(chain);
>+		            } else {
>+		                DEB(printf("-- invalid TCP connection state\n"));
>+		            }
>+                            break;
>+		        case IPPROTO_UDP:
>+		            DEB(printf("-- installing state for UDP packet\n"));
>+		            install_state(chain);
>+                            break;
>+		        case IPPROTO_ICMP:
>+		            if (is_icmp_query(ip)) {
>+		                DEB(printf("-- installing state for ICMP packet\n"));
>+		                install_state(chain);
>+		            } else {
>+		                DEB(printf("-- invalid ICMP connection state\n"));
>+		            }
>+                            break;
>+		        default:
>+		            /*
>+		             * Unknown packet, if default is to accept all
>+		             * packets, add a new state, otherwise ignore.
>+			     */
>+#ifdef IPFIREWALL_DEFAULT_TO_ACCEPT
>+		            DEB(printf("-- installing state for unknown packet\n"));
>+		            install_state(chain);
>+#else
>+		            DEB(printf("invalid unknown protocol connection state\n"));
>+#endif
>+                            break;
>+                    }
>+		}
> #endif
>-- snip --

Actions: View | Diff

Attachments on bug 21118: 10550